Attacker's Playbook Top 5 Is High On Passwords, Low On Malware

Report: Penetration testers' five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros' priority list because exploiting software doesn't even rank among the top five plays in the attacker's playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these "root causes" though, were not zero-days or malware at all.

The top five activities in the cyber kill chain -- sometimes used alone, sometimes used in combination -- were:

attacks on cleartext passwords in memory (like those using Mimikatz) -- 59%

insufficient network segmentation -- 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

"If we assume that 1 percent [of users] will click on the [malicious] link, what will we do next?" says Joshua Abraham, practice manager at Praetorian. The report suggests specific mitigation tactics organizations should take in response to each one of these attacks -- tactics that may not stop attackers from stealing credentials, but "building in the defenses so it's really not a big deal if they do."

As Abraham explains, one stolen password should not give an attacker (or pen tester) the leverage to access an organization's entire computing environment, exfiltrating all documents along the way -- should not, but often does. By implementing mitigations against the attacks mentioned above, an organization ensures "you don't have that cascading effect," from one stolen credential, says Abraham. "The blast radius is very minimal."

The report does, of course, reflect the actions of Praetorian penetration testers, not actual attackers. But the report states that "Praetorian’s core team includes former NSA operators and CIA clandestine service officers who are able to mimic the kill chains that are outlined in Verizon, Mandiant, and CrowdStrike’s annual breach reports." Indeed, the 2016 Verizon Data Breach Investigations Report attributed more breaches to hacking than to malware, and the use of stolen credentials was the most common sub-category of hacking. The M-Trends 2016 Report by Mandiant, a FireEye company, found that stolen credentials were "the most efficient and undetected technique for compromising an enterprise."

Abraham says Praetorian pen testers -- and many attackers -- prefer to use system weaknesses over software exploits, for several reasons. For one, he says, malware can fail or cause system failures, which draw attention to the attacker. Vulnerability scans are "noisy" and unnecessary, according to the report. Plus, while a software hole can be quickly closed with a patch, "design weaknesses will be present in the environment until the design changes," states the report, meaning they have a long shelf life, because they take a longer time to fix.

Mitigation

There are basic, inexpensive practices and tools that would hugely improve organizations' security without costing them millions, according to the report, but Abraham says that pen testers found that many organizations were missing these basic elements.

He recommended that organizations wanting to clean up their act, start with #3 and #4 on the list (pass-the-hash and cleartext passwords in memory), because they're the "most achievable." According to the report:

Deploying Microsoft's LAPS tool on workstations and servers will go a long way to protecting against pass-the-hash attacks.

Mimikatz and other attacks against cleartext passwords in memory can be largely cleaned up with a basic registry change, installation of Microsoft Security Advisory 2871997, and regular monitoring for any unauthorized registry changes.

Once that's done, Abraham suggests moving on to #1 and #2 (weak domain user passwords and broadcast name resolution poisoning) and leaving #5 (insufficient network segmentation) for last, since it will take the most time to fix.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

How many exploits, such as cleartext passwords in ill-protected memory, are unique to Windows? Ransomware barely exists outside Windows. These security companies make a lot of money from Microsoft's security weaknesses. If they cared about their customers' needs, they'd push them off Windows.

I`m personally thinking that password managers are the best way to protect you data. I am feeling more comfortable, when my passwords are encrypted and stored in the cloud. This is not that expensive, and i can reccomend 3 of them - Keeper, Lastpass and Passwork (https://passwork.me). The last one is better for an entrepreneurs

I really think "insufficient network segmentation" should be something along the lines of "insufficient network isolation" or "insufficient network protection." I talk to a good number of network and security people who seem to assume that if they have different VLANs/subnets (network segmentation) then they are somehow protected from attackers moving laterally inside the network. This is unfortunately a common misconception. Without the appropriate network traffic isolation/filter/protection, threats can move from one layer 2 segment to another layer 2 segment very easily. I personally think that network/security admins need to start looking at implementing rudimentary security controls like ACLs, (which I know this piece mentions, but not soon enough in my opinion) on strategic network devices through the enterprise. Don't even worry about drilling down to the UDP/TCP port level at the point, but put in place easy to understand IP based ACLs that, for instance reduce attack surface by limiting desktop PCs from reaching other desktop PCs, etc. or the end user community from reaching the desktops/laptops of company executives. Your CEOs PC simply should not be reachable from end user devices.

What good does that do? if passwords are read from memory, length and age do not matter in the least. The longer the password the more likely it will be deliberately weakened by whoever generates it. Password aging is a much worse idea and is specifiically not recommended by NIST now. If password hashes are stolen it means the system is compromised and cannot be trusted to leak any other valuable information including cleartext passwords read from memory. It will be great when people finally get away from the 1980's mentality of vulnerable hashes.

Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possib...

Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.

In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.